CNX-001 CompTIA CloudNetX Exam Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract:

Since the subnet and IPs were changed recently, and users are accessing the database through a web application, the likely issue is that DNS records have not been updated to reflect the new IP addresses. If DNS is pointing to old IPs, users will fail to reach the services even if they are up and reachable on the new subnet.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “DNS and Network Configuration Troubleshooting”:

“DNS misconfiguration is a common issue following IP address changes. If DNS entries are not updated accordingly, clients will attempt to reach services at outdated IPs.”

Other options:

A. No indication of web server misconfiguration is provided.

B. Firewall issues would affect all users, not just one.

D. The web server has a valid IP in the subnet range; no misconfiguration is indicated.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Traffic mirroring allows a copy of network traffic — including headers and payloads — to be sent to an analysis tool or appliance for deep packet inspection. This is essential for security analysis, network troubleshooting, and performance diagnostics in cloud environments.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Packet Capture and Network Flow Monitoring”:

“Traffic mirroring enables the capture of full packet data, including payloads, for forensic or performance analysis within cloud networks.”

Other options:

A. Application monitoring focuses on app-level metrics, not packet inspection.

B. Syslog is log-based, not for inspecting packets.

D. Network flows (e.g., NetFlow, VPC flow logs) provide metadata (source, destination, size) but not full packet content.

Comprehensive and Detailed Explanation From Exact Extract:

A mesh topology allows every site to connect directly to every other site, enabling the shortest and lowest-latency path between locations. This is ideal for SD-WAN deployments that must minimize latency for inter-site communication globally. In contrast, hub-and-spoke models force all traffic through a central hub, increasing latency.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “WAN Technologies and Topologies”:

“Mesh topologies offer direct connectivity between all participating sites, reducing latency and avoiding single points of failure. They are optimal for SD-WAN deployments requiring performance and resilience.”

Other options:

A. Star topology routes all traffic through a central node, introducing latency.

B. Spine-and-leaf is used in data center architectures, not global WANs.

D. Hub-and-spoke centralizes routing and increases latency between remote sites.

A full-mesh SD-WAN topology allows each site to establish direct overlays with every other site, minimizing the number of hops and avoiding backhauling through a central hub, thereby delivering the lowest latency paths between Asia, Europe, and the US.

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Networking) is ideal for enterprises that want to simplify WAN management, reduce operational overhead, and optimize connectivity to cloudservices. SD-WAN provides intelligent traffic routing, dynamic path selection, and direct-to-cloud access without backhauling traffic through a central data center.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “SD-WAN and Cloud Connectivity”:

“SD-WAN enables efficient cloud access from branch offices and simplifies management through centralized policy control. It is cost-effective and reduces the need for complex hardware configurations and manual routing.”

Other options:

B. Adds latency and overhead by backhauling through headquarters.

C. MPLS is expensive and less flexible than SD-WAN.

D. Dark fiber is high-cost and not scalable for cloud-first architectures.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

With GitOps, all infrastructure changes are tracked as code and committed to version-controlled repositories. When the main branch is protected, changes should not be committed directly. Instead, best practices require that a new feature or change branch be created, followed by a pull request (PR) for peer review and approval before merging into the protected branch.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and GitOps”:

“In GitOps workflows, changes are made in feature branches, reviewed via pull requests, and merged into protected branches only after validation, ensuring auditability and control over infrastructure deployments.”

Other options:

A. Direct commits to protected branches are restricted and violate GitOps practices.

C. The development branch may exist, but the question specifies main is the default, and the correct process requires a PR.

D. Rebase is for integrating histories, not submitting approved changes.

Comprehensive and Detailed Explanation From Exact Extract:

“Identity as the perimeter” is a core principle of Zero Trust Architecture (ZTA). Rather than relying on traditional network-based perimeters, access is granted based on user identity and device posture. This is essential for remote users accessing cloud workloads, ensuring secure authentication regardless of physical location.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust and Identity-Centric Security”:

“Zero Trust shifts the trust boundary from the network to the user and device identity. ‘Identity as the perimeter’ ensures only verified users and devices are granted access to resources.”

Other options:

A. Secure service edge (SSE) is a broad cloud security model, but not a specific ZTA principle.

B. CASBs monitor cloud app usage, not core access authentication.

C. Principle of least privilege is a supporting concept, but not the primary perimeter defense mechanism.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Video surveillance (A) provides continuous monitoring and allows for real-time, remote visibility of secure locations, such as computer rooms. When integrated with analytics, video surveillance systems can detect movement after hours or unauthorized access and generate immediate alerts. These systems also maintain video logs that can be audited later.

NFC access cards (B) allow controlled access to physical areas, generating time-stamped logs for each entry attempt. When connected to an access control system, these cards can trigger alerts for unauthorized access attempts, such as the use of expired credentials or access during restricted hours.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — Security Controls and Physical Security Section:

“Security access systems using NFC or smart cards allow traceability of personnel entry through electronic logs, while surveillance systems provide visibility and support forensic investigations.”

“Video surveillance allows real-time monitoring of physical environments and helps detect unauthorized presence or access in sensitive locations.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Weighted load balancing allows distribution of traffic based on server capacity or assignedweights. In this case, the new node should receive a weight of 3, and each of the three older nodes a weight of 1. This ensures the new node handles the same total number of requests as the other three combined (3:1:1:1).

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Load Balancing Algorithms and Traffic Distribution”:

“Weighted load balancing accounts for node capacity, distributing requests proportionally according to performance capability or administrator-defined weights.”

Other options:

A. Round-robin sends traffic equally to all servers regardless of capacity.

B. Load-based requires dynamic performance measurement and is more complex.

C. Least connections may work in certain cases, but doesn’t guarantee proportional traffic split based on server performance.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Using a spectrum analyzer to inspect the 6GHz frequency range allows the administrator to confirm the presence and source of interference. This step aligns with the “identify the problem” phase of the CompTIA troubleshooting methodology. Before making changes or documenting channels, the administrator must validate whether interference exists and collect diagnostic data.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Troubleshooting Methodology and Wireless Interference”:

“Spectrum analyzers provide a visual representation of frequency usage and interference in wireless bands, allowing administrators to isolate the root cause of degraded performance before implementing corrective actions.”

Other options:

A. Testing performance (Step 5 in the methodology) comes after identifying and resolving the issue.

C. Documentation is performed during the final step of troubleshooting.

D. Changing channels without evidence may worsen interference if the problem is not confirmed.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

D includes all the key elements of Zero Trust:

MFA (Multi-Factor Authentication) supports secondary passkey-based authentication.

Geolocation settings enforce geo-restrictions.

SSO federation allows use of an existing SAML identity provider.

Continuous access policies support dynamic reauthentication based on changes in posture.

Trusted endpoint policies ensure only corporate-owned, compliant devices are allowed to connect.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust Architecture and Identity Management”:

“ZTA enforces continuous access policies that monitor session state, posture, and user behavior.”

“Federated identity with SSO and posture-based trust evaluation are core ZTA components.”

“Geo-restrictions and trusted endpoint policies limit exposure and enforce device compliance.”

Other options:

A uses static session tokens and disables timely expiration, violating Zero Trust principles.

B allows BYOD and disables auditing, which conflicts with compliance and monitoring.

Comprehensive and Detailed Explanation From Exact Extract:

Geofencing is a network access control method that enforces restrictions based on location data. In this scenario, the organization requires access to be permitted only when users are on premises (i.e., within a specific physical location). Geofencing can be implemented using source IP ranges or GPS-based location data to define boundaries (fences). This allows access to certain applications or services only when the user is inside a designated network or area.

MFA (Option A) provides identity assurance but does not enforce physical location-based restrictions.

UEBA (Option C) provides behavioral analytics but is not used for real-time access control.

PKI (Option D) provides identity validation through certificates but is not location-aware.

Relevant Extract from CompTIA CloudNetX CNX-001 Official Study Guide:

“Geofencing allows organizations to define physical or logical boundaries that restrict or allow access based on user location. Policies can be configured to allow access only when users are on a trusted campus or corporate network, denying requests originating from outside the geofenced area.”

Covered under the topic: “Access Control Technologies and Identity Enforcement Mechanisms.”

Comprehensive and Detailed Explanation From Exact Extract:

In the 2.4 GHz Wi-Fi band, channels overlap due to how the frequency spectrum is divided. To prevent co-channel and adjacent-channel interference, only non-overlapping channels should be used. According to the IEEE 802.11 standard and best practices outlined in the CompTIA CloudNetX CNX-001 Study Guide under “Wireless Network Optimization,” the three non-overlapping channels in the 2.4 GHz band are:

Channel 1 (2.412 GHz)

Channel 6 (2.437 GHz)

Channel 11 (2.462 GHz)

These channels are spaced far enough apart to avoid interference, even when operating in close proximity. Using overlapping channels (as in options A, B, and D) causes signal degradation and poor performance due to increased contention and retransmissions.

Relevant Extract from CompTIA CloudNetX CNX-001:

“Wi-Fi networks operating on the 2.4 GHz band should use channels 1, 6, and 11 to ensure maximum throughput and minimal interference in environments with multiple access points.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A mesh topology provides multiple redundant paths between nodes. It offers the highest availability and fault tolerance by allowing communication to continue even if one or more links or nodes fail. This is especially important in rural healthcare systems where reliability and access to critical services are paramount.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Network Topologies and Redundancy Models”:

“Mesh topologies provide optimal fault tolerance and support consistent data transmission through redundant links, ideal for mission-critical systems.”

Other options:

A. Collapsed core is cost-efficient but not fully redundant.

B. Hub-and-spoke introduces a single point of failure at the hub.

D. Star also relies on a central node and is not fault tolerant.

================================================

BLE (Bluetooth Low Energy) is a wireless personal area network (WPAN) technology designed for applications that require lower energy consumption and reduced cost while maintaining a communication range similar to classic Bluetooth. BLE supportslocation tracking with an accuracy range typically between 1 to 2 meters (approximately 3 to 6 feet), making it ideal for applications that demandfine-grained location services, such as stadium services requiring real-time user proximity data.

According to theCompTIA CloudNetX CNX-001 Official Objectives, under theNetwork Architecture domain, specifically in the subdomain:

"Wireless Technologies: Identify capabilities of BLE, NFC, RFID, and IoT devices within a network environment,"it is outlined that:

"BLE enables proximity-based services and real-time indoor location tracking with high accuracy when used with beacon infrastructure."

"BLE beacons can be deployed throughout a physical space, transmitting signals received by mobile applications to determine a user’s location within a few feet."

"BLE is widely adopted for use cases including indoor navigation, asset tracking, and personalized user engagement, making it a critical technology for modern high-density venues such as stadiums."

In comparison:

SSIDmerely identifies a wireless network and has no location tracking function.

NFCrequires close contact (under 4 cm), and is not suitable for continuous or broad-range tracking.

IoTis an overarching category that includes connected devices and sensors; however, IoT is not a standalone location tracking technology. It may include BLE as a component, butBLE specifically provides the precise location tracking functionality.

These distinctions are explicitly addressed in theCompTIA CloudNetX CNX-001 Study Guide, under the section:

“Emerging Network Technologies and Architectures”, where BLE is described as a key enabling technology for context-aware and location-based services in enterprise and public environments.

Comprehensive and Detailed Explanation From Exact Extract:

The local machine has the IP address 10.21.12.8 and the physical address 1A-21-11-33-44-5A.However, the ARP table shows that 10.21.12.8 is mapped to a different MAC address (1A-21-11-31-74-4C), meaning another device on the network is responding to ARP requests for the same IP. This is a clear sign of an IP address conflict, which would prevent the workstation from functioning properly on the network.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Troubleshooting IP Addressing Issues”:

“An IP conflict occurs when two devices on the same network are assigned the same IP address. Symptoms include connectivity loss, duplicate ARP entries, and inconsistent routing behavior.”

Other options:

A. Asynchronous routing refers to packets taking different return paths, which is unrelated to ARP inconsistencies.

C. DHCP server issues would affect IP assignment but are not indicated here — the workstation has an IP address assigned.

Comprehensive and Detailed Explanation From Exact Extract:

API throttling limits the number of requests a user or system can make in a given time frame. This ensures that no single customer overwhelms the service, maintaining fair access and stability for all users during peak usage periods. It is cost-effective as it avoids unnecessary resource scaling.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “API Management and Traffic Control”:

“Throttling allows for controlled usage of APIs, preventing service degradation and ensuring equitable access during high traffic periods.”

Other options:

A. Allow lists control access, not traffic volume.

B. Increasing VMs increases cost and may not scale linearly.

D. MTU settings affect packet size but not API-level fairness or traffic spikes.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To better secure administrative interfaces, the best practice is to isolate them from the production network by connecting the management ports to a separate, dedicated management network. This prevents unauthorized access from devices or users on the production subnet and reduces the attack surface.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Securing Network Infrastructure”:

“Management interfaces should be placed on a separate out-of-band management network, providing physical and logical separation from user and data traffic.”

This ensures that only trusted devices on the management network can access the administrative interfaces.

Other options:

B. Disabling unused ports is good practice but does not address the segregation of management traffic.

C. Placing admin interfaces and production traffic on the same VLAN exposes them to potential internal threats.

D. Firmware upgrades are important for security patches but do not isolate the interface.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A 403 Forbidden error indicates that the request was understood by the server but is refusing to fulfill it due to insufficient authorization. The developer is attempting to call a protected API that requires valid credentials such as an access key and signature (often used in HMAC-based APIs), but the values appear as Postman variables (e.g., {{rapyd_access_key}}), which suggests they were not replaced with actual credentials.

This typically means that the request lacks proper authentication or authorization headers, or the keys/signature are incorrect or missing. The presence of access_key, signature, salt, and timestamp in the request implies the API requires authentication, but the variables were not resolved or valid.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “API Security and Authentication”:

“A 403 error typically results from failed authentication or lack of proper authorization. Developers must ensure that tokens or signatures are valid, not missing, and properly injected.”

Other options:

A. 404 is the code for a missing resource, not 403.

C. A firewall rule would block the request entirely (e.g., no response or a 0 status), not result in a 403 from the server.

D. HTTP redirection issues typically result in 3xx codes, not 403.

Comprehensive and Detailed Explanation From Exact Extract:

B. Single Sign-On (SSO) — SSO enables users to authenticate once using a unified set of credentials and gain access to multiple applications. It improves user experience and simplifies identity management.

E. Conditional Access Policy — This supports dynamic enforcement of access policies based on user location, device, risk level, and session characteristics. It allows administrators to define rules such as only allowing access from authorized geographic regions and automatically enforcing session timeouts or requiring reauthentication.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Identity and Access Management (IAM)”:

“SSO provides seamless authentication across services while reducing password fatigue and attack surfaces.”

“Conditional Access enforces access controls based on real-time conditions such as location, device compliance, and session context, supporting dynamic security postures.”

Other options:

A. Role-based access defines permissions but does not handle location or session control.

C. Static IP allocation does not offer user-based access controls.

D. MFA enhances security but is not directly aligned with all the listed requirements.

F. Risk-based authentication evaluates threat levels but does not handle session timeout or location enforcement directly.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A Web Application Firewall (WAF) is primarily used for inspecting HTTP/HTTPS requests and filtering out malicious traffic, such as SQL injection or cross-site scripting (XSS) attacks. However, WAFs do not restrict access based on geographical location by default.

To control access to the cloud-hosted application based on geographical location, the correct measure is to implement geo-restriction (geo-blocking). This technique limits access to cloud-based resources by using the source IP’s geographical origin. Geo-restriction is typically enforced at the cloud firewall or load balancer level.

Relevant Extract from CompTIA CloudNetX CNX-001 Official Objectives:

“Cloud access control policies can enforce geo-restriction settings, ensuring applications and services are only accessible from authorized geographic regions.”

Also found under “Security Controls in Cloud Deployments” section:

“Geo-restriction uses IP geolocation data to restrict access to services based on geographic criteria, supporting compliance and security requirements.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Privileged Access Management (PAM) is the optimal solution to control, audit, and secure administrative access to systems and services. PAM enables role-based approval workflows, time-limited access, auditing, and credential rotation, fully aligning with the requirements.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Identity and Access Controls”:

“Privileged Access Management allows fine-grained control over administrator-level access, supports just-in-time access provisioning, password rotation, and audit logging.”

Other options:

B. Session-based tokens allow temporary access but do not enforce policies or auditing.

C. Conditional access provides policy enforcement based on context but lacks full PAM features.

D. ACLs control access to resources but don’t manage privilege workflows or audits.

Comprehensive and Detailed Explanation From Exact Extract:

A SIEM (Security Information and Event Management) system aggregates logs from various sources, including cloud environments, and provides real-time analytics, threat detection, and automated alerting. It integrates with cloud workloads via agents or APIs and enables centralized visibility and response capabilities.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Security Monitoring and Event Correlation”:

“SIEM solutions consolidate logs from multiple environments, including cloud and on-premises, providing automated detection, alerting, and correlation of security events.”

“A SIEM supports compliance and improves incident response through real-time monitoring.”

Other options:

A. IDS/IPS are used for intrusion detection/prevention but do not provide log consolidation or alert correlation.

C. Data lakes store large volumes of data but lack real-time alerting without additional tools.

D. Syslog is a protocol for log transport, not a detection and alerting mechanism.